From a6041dcc9378790a2e2bcc3e2e1f21f1894fcaee Mon Sep 17 00:00:00 2001 From: HackTricks News Bot Date: Mon, 25 Aug 2025 12:48:06 +0000 Subject: [PATCH] Add content from: Countering EDRs With The Backing Of Protected Process Light ... --- src/windows-hardening/av-bypass.md | 79 ++++++++++++++++++++++++++++++ 1 file changed, 79 insertions(+) diff --git a/src/windows-hardening/av-bypass.md b/src/windows-hardening/av-bypass.md index ff2d75525..70f6e05c5 100644 --- a/src/windows-hardening/av-bypass.md +++ b/src/windows-hardening/av-bypass.md @@ -755,10 +755,89 @@ After replacing the original files and restarting the service stack: This case study demonstrates how purely client-side trust decisions and simple signature checks can be defeated with a few byte patches. +## Abusing Protected Process Light (PPL) To Tamper AV/EDR With LOLBINs + +Protected Process Light (PPL) enforces a signer/level hierarchy so that only equal-or-higher protected processes can tamper with each other. Offensively, if you can legitimately launch a PPL-enabled binary and control its arguments, you can convert benign functionality (e.g., logging) into a constrained, PPL-backed write primitive against protected directories used by AV/EDR. + +What makes a process run as PPL +- The target EXE (and any loaded DLLs) must be signed with a PPL-capable EKU. +- The process must be created with CreateProcess using the flags: `EXTENDED_STARTUPINFO_PRESENT | CREATE_PROTECTED_PROCESS`. +- A compatible protection level must be requested that matches the signer of the binary (e.g., `PROTECTION_LEVEL_ANTIMALWARE_LIGHT` for anti-malware signers, `PROTECTION_LEVEL_WINDOWS` for Windows signers). Wrong levels will fail at creation. + +See also a broader intro to PP/PPL and LSASS protection here: + +{{#ref}} +stealing-credentials/credentials-protections.md +{{#endref}} + +Launcher tooling +- Open-source helper: CreateProcessAsPPL (selects protection level and forwards arguments to the target EXE): + - [https://github.com/2x7EQ13/CreateProcessAsPPL](https://github.com/2x7EQ13/CreateProcessAsPPL) +- Usage pattern: + +```text +CreateProcessAsPPL.exe [args...] +# example: spawn a Windows-signed component at PPL level 1 (Windows) +CreateProcessAsPPL.exe 1 C:\Windows\System32\ClipUp.exe +# example: spawn an anti-malware signed component at level 3 +CreateProcessAsPPL.exe 3 +``` + +LOLBIN primitive: ClipUp.exe +- The signed system binary `C:\Windows\System32\ClipUp.exe` self-spawns and accepts a parameter to write a log file to a caller-specified path. +- When launched as a PPL process, the file write occurs with PPL backing. +- ClipUp cannot parse paths containing spaces; use 8.3 short paths to point into normally protected locations. + +8.3 short path helpers +- List short names: `dir /x` in each parent directory. +- Derive short path in cmd: `for %A in ("C:\ProgramData\Microsoft\Windows Defender\Platform") do @echo %~sA` + +Abuse chain (abstract) +1) Launch the PPL-capable LOLBIN (ClipUp) with `CREATE_PROTECTED_PROCESS` using a launcher (e.g., CreateProcessAsPPL). +2) Pass the ClipUp log-path argument to force a file creation in a protected AV directory (e.g., Defender Platform). Use 8.3 short names if needed. +3) If the target binary is normally open/locked by the AV while running (e.g., MsMpEng.exe), schedule the write at boot before the AV starts by installing an auto-start service that reliably runs earlier. Validate boot ordering with Process Monitor (boot logging). +4) On reboot the PPL-backed write happens before the AV locks its binaries, corrupting the target file and preventing startup. + +Example invocation (paths redacted/shortened for safety): + +```text +# Run ClipUp as PPL at Windows signer level (1) and point its log to a protected folder using 8.3 names +CreateProcessAsPPL.exe 1 C:\Windows\System32\ClipUp.exe -ppl C:\PROGRA~3\MICROS~1\WINDOW~1\Platform\\samplew.dll +``` + +Notes and constraints +- You cannot control the contents ClipUp writes beyond placement; the primitive is suited to corruption rather than precise content injection. +- Requires local admin/SYSTEM to install/start a service and a reboot window. +- Timing is critical: the target must not be open; boot-time execution avoids file locks. + +Detections +- Process creation of `ClipUp.exe` with unusual arguments, especially parented by non-standard launchers, around boot. +- New services configured to auto-start suspicious binaries and consistently starting before Defender/AV. Investigate service creation/modification prior to Defender startup failures. +- File integrity monitoring on Defender binaries/Platform directories; unexpected file creations/modifications by processes with protected-process flags. +- ETW/EDR telemetry: look for processes created with `CREATE_PROTECTED_PROCESS` and anomalous PPL level usage by non-AV binaries. + +Mitigations +- WDAC/Code Integrity: restrict which signed binaries may run as PPL and under which parents; block ClipUp invocation outside legitimate contexts. +- Service hygiene: restrict creation/modification of auto-start services and monitor start-order manipulation. +- Ensure Defender tamper protection and early-launch protections are enabled; investigate startup errors indicating binary corruption. +- Consider disabling 8.3 short-name generation on volumes hosting security tooling if compatible with your environment (test thoroughly). + +References for PPL and tooling +- Microsoft Protected Processes overview: https://learn.microsoft.com/windows/win32/procthread/protected-processes +- EKU reference: https://learn.microsoft.com/openspecs/windows_protocols/ms-ppsec/651a90f3-e1f5-4087-8503-40d804429a88 +- Procmon boot logging (ordering validation): https://learn.microsoft.com/sysinternals/downloads/procmon +- CreateProcessAsPPL launcher: https://github.com/2x7EQ13/CreateProcessAsPPL +- Technique writeup (ClipUp + PPL + boot-order tamper): https://www.zerosalarium.com/2025/08/countering-edrs-with-backing-of-ppl-protection.html + ## References - [Unit42 – New Infection Chain and ConfuserEx-Based Obfuscation for DarkCloud Stealer](https://unit42.paloaltonetworks.com/new-darkcloud-stealer-infection-chain/) - [Synacktiv – Should you trust your zero trust? Bypassing Zscaler posture checks](https://www.synacktiv.com/en/publications/should-you-trust-your-zero-trust-bypassing-zscaler-posture-checks.html) - [Check Point Research – Before ToolShell: Exploring Storm-2603’s Previous Ransomware Operations](https://research.checkpoint.com/2025/before-toolshell-exploring-storm-2603s-previous-ransomware-operations/) +- [Microsoft – Protected Processes](https://learn.microsoft.com/windows/win32/procthread/protected-processes) +- [Microsoft – EKU reference (MS-PPSEC)](https://learn.microsoft.com/openspecs/windows_protocols/ms-ppsec/651a90f3-e1f5-4087-8503-40d804429a88) +- [Sysinternals – Process Monitor](https://learn.microsoft.com/sysinternals/downloads/procmon) +- [CreateProcessAsPPL launcher](https://github.com/2x7EQ13/CreateProcessAsPPL) +- [Zero Salarium – Countering EDRs With The Backing Of Protected Process Light (PPL)](https://www.zerosalarium.com/2025/08/countering-edrs-with-backing-of-ppl-protection.html) {{#include ../banners/hacktricks-training.md}}